The present invention relates to an access privilege transferring method for safely transferring “capability” descriptive of access privileges related to objects between subjects (users) over an object space in which service objects are scattered.
More specifically, the present invention relates to an access privilege transferring method for safely transferring “capability” descriptive of access privileges related to objects between hosts (users) under a distributed computing environment in which the plural hosts are connected to one another by a network and objects are scattered over the network.
With rapid advances in a recent information technology (IT) field, various general-purpose computer systems such as work stations, personal computers, etc., have been developed and manufactured and are now widely used in laboratories of universities, etc., enterprises' offices, homes in general.
Digitized various resource objects such as a text format, a document file, a voice file, an image file can be handled over a computer system.
In recent years, most of computer systems have been connected to a network such as a LAN (Local Are Network), an Internet and placed under a distributed computing environment. Under the distributed computing environment, it is not necessary for respective users to recognize the places of resource objects such as programs, data in particular. Further, procedures and methods executed by computers have been held and managed in distributed form over the network.
For example, a method called “Remote Procedure Call (RPC)” or “Remote Method Invocation (RMI)” that a process operated over a given computer placed on a network invokes a procedure of a process operated on another computer and puts it into action, has also been widely adopted. An interface for the executed procedure is described in advance and placed in both computers on the invocation and execution sides, whereby such remote procedure call can be suitably implemented.
On the other hand, a managing method or system related to “Access Privileges”, for controlling whom (subject) an access operation or accessing (Verb) corresponding to what extent, to shared resource objects (Objects) such as files is allowed, becomes an important technical problem. Control on the access privileges can be described and managed judging the control as a relation established between S (Subject: main body)—V (Verb: accessing or access operation)—O (Object: file or the like intended for operation). It is noted that the S, i.e., subject is grasped as substantially synonymous with a user who desires to do a file operation, a user account or user identification information.
For example, the following are mentioned as privilege for the verb or accessing (V) to the object (O) described herein.
(1) right to read out file
(2) right to write in file (update)
(3) right to create file anew
(4) right to delete file
(5) right to retrieve file
(6) right to change file attribute of file's name or the like
Allowing unrestricted access privileges to all users will incur the danger of stalking with a bad use and abuse of files such as the arbitrary duplication, tampering or deletion thereof. As a result, a given user suffers an unexpected disadvantage and undergoes mortal damage in some cases. Unsuitable control or management of the access privileges will bring about even a breakdown of the distributed computing environment.
The concept of “access control matrix” has been known for long to those skilled in the art as the method for managing the access privileges to each object. As represented in “Table 1” shown below, the access control matrix is described in a table format, which represents, at a glance, whom (Subject) access privileges (Verb) corresponding to what extent, to respective objects (Object) such as files, are given.
TABLE 1Privilege information(capability) held by Alex)#FILE1#FILE2#FILE3. . .AlexRead/WriteReadBobReadRead/WriteCod...............Access control list(ACL) for #FILE
In an example shown in “Table 1”, accessing or access operation for reading (Read) and writing (Write) “File#1” as an object is allowed for, for example, a subject called “Alex”, i.e., a user account. However, only reading is allowed for “File#2”, and . . . is given to a subject of “Bob”.
Information obtained by cutting out the access control matrix for every column corresponds to information descriptive of operation privilege allowed for respective subjects or users by objects, which is called “Access Control List: ACL”. In the example shown in “Table 1”, for example, the column corresponding to “File#1” is an access control list indicative of operation privilege given to Alex, Bob and Cod for the objects, respectively. “Unix”, widely used as an operation system (OS) for a server or development platform, makes use of a simplified access control list.
Further, ones obtained by cutting out the access control matrix for every row correspond to information descriptive of operation privilege allowed for respective objects by subjects, i.e., users, which is called “privilege information” or “capability (Capability)”. For example, a first row of the access control matrix shown in “Table 1” corresponds to the capability related to the user “Alex”. Further, a second row corresponds to the capability related to the user “Bob”.
The capability has a role of a sort of key for allowing an access to each object. Namely, the access to each object is permitted for a subject or user having a capability. The capability is described in a URL (Uniform Resource Locator) character string over a network (e.g., Internet) wherein, for example, an infinite number of hosts are TCP/IP (Transmission Control Protocol/Internet Protocol)-connected, and may be exchanged between the hosts as an HTTP (Hyper Text Transfer Protocol) message.
Owing to the delivery of the capability from Alex to Cod, for example, Cod is capable of holding operation privilege similar to Alex with respect to each object. Cod having taken over the capability obtains access to each object as a representative of Alex even in the absence of Alex and is capable of acting for Alex's duty.
However, if the capability is transferred or lent and given without any restriction, there is a possibility that an unexpected disadvantage will occur due to the bad use and abuse of the capability. Therefore, the capability transferor may preferably deliver the capability in the form of weakened privilege contents as in the case of addition of an expiration date or the number of permissions for use to the capability, a limitation of operation privilege to each object (e.g., a limitation of a full access to only reading), etc.
When a subject having obtained the capability by transfer delivers the contents thereof in such a format as to be interpretable with ease, a transferee or assignee would be in danger of tampering with the contents of the capability to thereby strengthen privilege freely, and duplicating the capability without permission to thereby access each object without any restriction. Further, a third party who intercepts the transmission of the capability, is also able to operate each object illegally in a manner similar to above.
If the above is described collectively, then the safe transfer of the capability between the respective hosts on the network becomes an important technical problem in terms of the protection of each object.
As to access control on each object, several techniques have already been proposed.
For example, Japanese Published Unexamined Patent Application No. Hei 5-81204 discloses access control in a distributed computer system. According to the same publication, there is provided a method capable of controlling a substitute use of a privilege attribute certificate (PAC) equivalent to a capability and simultaneously using the PAC for many purposes. Namely, when the PAC is distributed, a starter qualification attribute corresponding to a starter subject is included therein and an encryption key having the starter qualification attribute on an encrypted basis is distributed to the starter subject.
However, according to the method disclosed in Japanese Published Unexamined Patent Application No. Hei 5-81204, it cannot cope with variations in capability such as an expiration date of use and the number of accesses. Further, no method of freely creating a PAC weakened in capability by the starter subject is disclosed.
On the other hand, Japanese Published Unexamined Patent Application No. Hei 9-319659 discloses a method for assigning different capabilities to respective users in a non-distributed computer system. According to the same publication, the entire computer function is subdivided into event sets each having a capability set. Further, the capability is given according to a specific job to be executed by each user on the computer system.
However, the invention according to Japanese Published Unexamined Patent Application No. Hei 9-319659 is not one applied to a distributed environment under which the capability cannot be protected in safety. Further, the same publication refers to no method of safely inspecting capabilities between objects.
Further, Japanese Published Unexamined Patent Application No. Hei 9-251425 discloses security control on an access to a system resource in a distributed system.
According to the security control system disclosed in the same publication, a group identifying mark is stored and joined to a target object. It is next judged using a membership test whether a client who makes an access request to a target object, is a group member having access privileges to a target.
However, Japanese Published Unexamined Patent Application No. Hei 9-251425 does not disclose a method for handling or coping with variations in capability such as an expiration date of use and the number of accesses. Further, the present publication does not refer to a method for generating a capability anew by a capability holder and invalidating the generated capability.
Further, the “Amoeba” known to those skilled in the art as a distributed OS (Operating System) provides capabilities capable of transfer and difficult to forge. This is implemented by the following mechanisms.
(1) A client transmits an object generation request to a server.
(2) The server generates objects and assigns object numbers and random numbers thereto respectively. The random numbers are stored in object tables indexed with the object numbers.
(3) The server generates a capability including a check field in which privilege and random numbers are encrypted with the random numbers as keys.
(4) The capability is returned to the client.
(5) The client issues an access request indicative of the capability to the server.
(6) The server extracts the corresponding object number and check field from the capability and decrypts the corresponding privilege and random number from the check field, based on the random numbers stored in the object tables.
(7) It is verified whether the random number obtained from the result of decrypting coincides with the random numbers stored in the object tables.
(8) If the required operation matches with the privilege described in the capability, then the server executes the operation.
The Amoeba is also provided with the following mechanisms to allow the capability holder to generate anew capability weakened in privilege.
(1) Each of clients and a server share the use of N commutative one-way functions.
(2) The client generates second privilege.
(3) The client applies all the one-way functions associated with numbers each corresponding to privilege equivalent to the difference between first privilege and the second privilege to thereby generate a second check field.
(4) The server receives a capability including the second privilege and second check field.
(5) The server successively applies the one-way functions in accordance with a privilege field. When each one-way function coincides with the check field offered by the client, the server executes its operation.
However, the Amoeba defines the method of describing the propriety of N pieces of privilege by using the N commutative one-way functions but does not take into consideration points corresponding to many variations about privilege such as usage privilege and the number of privilege uses. As to capability's invalidation, the Amoeba defines the method of invalidating all the capabilities about a given object by changing the random numbers held by the server but does not refer to a method of invalidating the specific capability. The Amoeba does not define invalidation of only a capability generated by a given capability holder and a capability derived therefrom at all. In the Amoeba, the object number itself for accessing each object is not protected at all.
A paper of Bjorn N. Freeman-Benson open to the public on a Web, “Using the Web to Private Information—or—A Short Paper About Password Protection Without Client Modification” discloses the handling of a confidential URL (i.e., capability). A method described in the same paper follows a procedure shown below.                (1) A server generates and holds a password list including pairs of log-in names and passwords. Further, the server holds an encryption key.        (2) A client transmits a message including a pair of a log-in name and a password to the server.        (3) The server retrieves the password list. If the corresponding pair of the log-in name and password transmitted from the client is found, then the server transmits a character string obtained by encrypting the log-in name and password with the encryption key to the client as an access key inclusive of it in an URL.        (4) The client makes an access request to the server using the received URL.        (5) The server extracts the access key from the received URL and decrypts it by using the encryption key to thereby obtain the pair of the original log-in name and password. Further, the server checks to see whether it is registered in the password list.        (6) If it is found to have been registered in the password list, then the server permits an access to the corresponding object.        
Further, the same paper refers to the point that the client makes a change in password to thereby allow invalidation of the URL.
However, the same paper does not disclose the point that plural URLs (i.e., capabilities) legitimate and different from one another for a given object are generated.
If the above is summed up, then the prior art has the following problems:                (1) It is difficult to safely manage and transfer capabilities in association with variations diversified in privilege contents such as the expiration date of usage and the number of valid uses.        (2) It is difficult to invalidate only some of capabilities without invalidating all the capabilities related to the corresponding object.        (3) A subject having a capability is not able to freely generate a capability changed (weakened) in the contents of privilege held by the capability and safely manage and transfer it or invalidate it.        